1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Apache Reverse Proxy+IIS+Client Certificate Authentication = sadface so far

Discussion in 'Apache' started by jessman, Jun 10, 2019.

  1. #1
    After thorough research I have come to ask for assistance.

    What I want is to create a configuration similar to what Apache/Tomcat have with I believe AJP only Apache to IIS.

    I know due to TLS, IIS, x509, it is generally difficult as what I am wanting to do creates a MITM (Man-In-The-Middle)

    Internet ==> Apache Reverse Proxy === IIS backend
    Authentication Client certificate

    I know the reason right now I am losing the header information on IIS is due to the TLS session ending after I hit my proxy server.

    I thought by configuring my virtual host utilizing
    SSLCACertificateFile it may work however I still receive the 403.7 (IIS).
    I was hoping to leverage mod_proxy parameters that I leverage with tomcat would work with IIS but I am having no success. My <virtual host> is using the following so far
    SSLEngine On
    SSLVerifyCLient require
    SSLVerifyDepth 4
    SSLCertificateFile ssl.crt/cert.pem
    SSLCertificateKeyFile ssl.crt/key.key
    SSLCACertficateFile ssl.crt/CAbundle.pem
    SSLOptions +ExportCertData
    SSLProxyEngine On
    JkMount /
    JKMount /
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass /location/ "url:7443"

    My goal was to build this <virtualHost> to where I have Apache Reverse Proxy working with both Tomcat and IIS on the backend both accepting client certificate login.
    The other approach I am looking into is attempting to see what header information occurs between apache and IIS and is there anyway to configure IIS to leverage x509 http syntax to grab the information and leverage that for authentication. I need to leverage HTTP and not HTTPS and capture that traffic with wireshark to see if there is anything there to work with.
    This is my debacle I am currently working through and appreciate any assistance.
    jessman, Jun 10, 2019 IP